Securing the Internet of Things (IoT) in a Decentralized World

concordio we have Ruth and abai they are going to present on the Internet of Things in a decentralized world and security relating to that if we can give them a warm Applause welcome

please hello good afternoon everyone uh it's an honor to be here at this very prestigious cyber security conference besides Edmonton my name is abai obasi and this is my colleague Ruth orad like the presenter said we are both great students at the con University of Edmonton and uh before I move on I'd like to say a big thank you to each and every one of you from the organizers uh the volunteers everyone here including yourself thank you so last year myself and my colleague uh we here okay yeah can you hear me now okay yeah thank you very much last year myself and my colleague were here uh as volunteers we served at this place after

listening to some of the speakers and we got inspired to be a part of something bigger today we stand before you not just as students and not only as volunteers but also as passionate Advocates of cyber security uh we're going to be talking about securing the internet of things we look at what are iots decentralization on the blockchain we look at how the implementation of blockchain can help in securing iots touched some of the challenges show case study future outlook and then we can conclude we hope you find our presentation not only intriguing but also interesting thank you very much so what are iots uh iots in short is the St for the internet of things and this is the network of

interconnected physical devices that have a sensor that has software program and network connectivity that allows it to pick data communicate data over the network and even exchange data so iots are all about picking up data and exchanging data we have iots everywhere as embedded systems we have iots in our smart wristwatches we have iots and our phones our TVs smart cities almost everywhere so iots are data driven systems and like you can see on the screen if the sensors pick up any form of data temperature humidity pressure whatever it is set to pick up and transfers this data over the iot cloud um the the Gateway straight to the cloud where it's been operated by various

cloud services such as gcp Google Cloud platform Azure and when it is being uh processed stored is sent back to to the mobile app or end users for better decision making all right we know how much the internet is expanding and it's expanding at a very fast pace so as the internet is expanding so does the internet of things currently the market size of industrialized iot devices are over 860 billion and we looked up statista you could see that by the year 20 2033 is projected that iot or interconnected devices will be hitting about almost 40 billion so this means why this is a good thing why this why this expansion is a good thing because most businesses are

going to the cloud individuals have access to various Internet devices but it also POS a high security risk because our data is being sent across and most of the iot devices rely on uh Cloud servers centralized security models and these security models may not be able to combat uh the modern security threat leading to this risk risk in data Integrity data Integrity comes from unauthorized assess of our data uh encryption capabilities where we are not able to secure our data as it moves from one end to another privacy issues common framework update we know update is a real issue for security because most devices are compromised when we download malicious programs uh I did a little

look back at the crowd strike uh outage it came from 40 security update so we are going to look at how the adopt or how we how we can improve the security of iot devices by including decentralization moving away from a centralized server or centralized security model and adopting blockchain to enhance endtoend encryption so my colleague is going to continue and talk more about the decentralization and the adopt of blockchain thank you hi everyone um as earlier mentioned my name is Ruth and I'm also from Concordia University I'm going to introduce to you the main two concepts of our presentation today decentralization and the blockchain and to start of this section I'm going to start with a really nice quote by the

found of chain Le who is Sergey nazarov and he said cryptographic truth is a superior way for the entire world to operate once you experience the transparency the personal control and lower risks of a world that is powered by truth rather than a world that's backed only by just trust just trust us ideas you see me cannot go back three main words that I would like you to take note of is transparency personal control and lower risks these are the things that would be available to you when you implement decentralization in your current or your future iot systems since iot um the blockchain Technologies deal with decentralization every single transaction or every single like action

or your information is transparent is made public so you're aware of when someone is trying to tamper with your information who is responsible for that and this can help you make Better Business decisions so to start off I'm going to talk about decentralization and the blockchain and give you some brief definitions for better understanding so decentralization is a technology or it's a con and it's a concept that removes the need for a centralized Authority by ensuring verification through a group of network NES rather than one singular Authority that work together and record transactions in a publicly available and connected manner with the use of encrypted blocks or letters so instead of one person just or one organization

being in charge of all your data without you having any knowledge as to whether they're selling it or whether they you know updating it are changing it without your knowledge it makes you to be fully aware and fully alert of every single thing that's to information with regards to the blockchain I would expl like to explain this with like an accounting terminology so blockchain just refers to like a specific or unique type of um distinct lger technology that records transactions in a chain of blocks so instead of recording data in like you know a tab format blockchain requests data in blocks and these blocks are very secure because they they have to do with cryp cryptography keys and encryption

Technologies so I'm going to talk about some security features and use this to explain give you some reason as to why you should secure your it devices or your it systems with the blockchain starting off with transparency as ear mentioned the blockchain deals with um and decentralization deals with like making your making um information that has to do with the update of your of your information in the public available manner so it's easy for you to track changes to your to your um information you can track when someone is trying to maybe authorize something without your permission whether someone is trying to update the information without your permission and you can also track when someone is trying to sell your data so

I'm going to use this to um slide into the next security feature which is decentralization it mitigates a single point of failure by removing that centralized Authority now that you have just as much control over your information and over your dat as any other centralized Authority you can choose whether to sell your information to someone else you can choose the conditions for you to you know disport your information to another Authority another security feature is imitability so in the blockchain before a new block of data or a new block of information is added or removed or altered um it has to be approved by the group of network nodes in that Network so you can when someone is trying to um

do something or maybe change something it's it would be hard for for an attacker to try and like you know take advantage of a compromise identity because of data Integrity so another security feature is consensus mechanisms since it's not just one Authority that is making use of or is in charge of like handling your data it's a group of network nodes this group of networkers have different conditions for um completing a transaction or making a transaction there's proof of work whereby any Authority that wants to have the final say in handling the information has to have like a really um high or place that is already authorized maybe he's a CEO or maybe is it's

someone that actually has the power to change your information then there's also proof of of stake whereby the person is in charge of like handling or person Char of making the final St someone that has more to offer to complete the transaction then the last security feature which is also the most important is smart contract so smart contracts help you to automate processes in your I system instead of having to manually wait for maybe a condition and manually like inut or manually change something you can easily set smart contracts which are like smart agents which would actually do the things you want them to do when you want them to do it as long as predefined

conditions are met for example you could set a condition whereby every single data that you have or maybe you store in your system should be deleted after a whole week instead of having to remember to or maybe set someone in charge of remembering to update your information after a week and then not fully trusting that they able to handle that particular task you can set smart contracts to automatically execute this type of um this type of operations on your behalf and since it's automated you don't have to worry about anything and focus your time and your energy on other business decisions so I'm going to talk about some of blockchain use cases in iot so

regardless of whether what type of technological industry you are in you could be working in the healthcare industry you could be working in the automotive industry in the smart home industry you could be working in retail there's always a space available for you to use blockchain in your current or future it systems for example I'm going to give an example using the healthcare industry you may think oh because you're working in the healthare industry you can just rely on you know a normal database or whatever but with the blockchain you can actually secure every single information system in your current system for example you may deal with um you may be working in the part

of the hospital that um that is involved with importing pharmaceutical goods for your patients because this this this deals with like actual lives you may want to verify the source of where the data where the goods are coming from you want to keep track of when it's where it's coming from when it's going to come and whether any other person has access to that drug in case they want to like tamper with it with the use of blockchain in your it systems you could have sensors that track the temperature of the good as they coming track the location and you're fully sure and fully aware that no other person has access to it or no other person is trying to

tamper with it because once someone is trying to do that since it's not handled by a centralized Authority you are fully aware of taking the next steps like you may hold the transaction or you may choose not to you know use the goods that eventually arrive another example is the Supply Chain management using a similar example for example you could be working as a wholesaler you could have like a super store here in Canada and you may be importing goods from another country and you want to know maybe um these types of goods have to be uh handled in a particular temperature you can have it systems that would tell you in real time the temperature of the

goods so you can know that the goods are coming in good condition and that you can maybe um you can maybe like have better insurance policies like for example if the temperature drops you can maybe Su the person that in charge of handling your handling your goods but not taking proper care of your of your goods so that when it comes in they cannot like put the blame on you that oh uh it wasn't in our hands because you actually have full information of when temperature job than when the quality of the goods deteriorated okay before I'm going to talk about some challenges but also want to use like a real time example so there

was there was an incident recently with the Hezbollah Pages whereby they had imported some pages and some walkie-talkie devices from from a distributor and when it arrived it had like contained bombs and some people had died it had just completely blown up they had been tracking the location of the of the pages before they arrived and they thought that it was coming in an original manner they thought that it was what they actually ordered were what came in but that was not the case because what came in was already contaminated with use of blockchain they would have known who was responsible for um when someone tampered with the goods or switched the goods and who was

responsible for doing that moving on to some challenges um I'm going to start with resource constraints so as my colleague mentioned ISC devices are technological devices that have been created for a particular purpose smart watches could either tell you the time or they could tell you help you track your heart rate your sleep rate smart fridges could tell you what is in your current fridge and maybe what you need to get from the store and you know P or like um smart Rings also tell you that maybe they could also track your Fitness level like your heart rate while you're working out and everything so they they are created for specific purpose their processes their processes are designed

with that part purpose in mind so they may not be able to like carry out really strong cryptographic operations you cannot say that a smartwatch has the same comp computational power as maybe a laptop or like a fullon technological system another challenge is consensus drawbacks yes the de centralization whereby you there's transfer of control it's possible for an attacker to maybe go the extra mile to um hack into or ha or access most of the network most of the group of network noes in that decentralization chain and that could cause a a problem or like leave an opening for a 51% attack then the next challenge I would like to speak on is latency latency just means um a delay in

a transaction or a delay in a process because some I devices may be using a very highend um blockchain technology they may take some time in completing a transaction or updating a record and if you are someone that needs real time information when it's happening and you need to have like um really updated information this may prove a problem so it's very it's very important to make sure that you use the right blockchain Technologies or use the right I systems with strong enough processors to handle um the blockchain Technologies the last challenge is regulatory landscape so since this is a very relatively new field a lot people are still making use of decentralized authority most people

are not using you know blockchains their current systems there's no global standard for or Global recommendation for integrating these systems in for people so there's no globally recognized standard like maybe Co or or you know PS one that's widely recognized by lot of people but but do not F because more people are interested in researching upon these things and building upon these current things okay um we've learned a little bit about blockchains we also talked about iot devices and we're going to show a case study and move into future outlook we looked up what are the most vulnerable devices and what are the riskiest devices according to Fout and zds we saw that uh IP cameras and IP

cameras account to one of the most riskiest devices in this year 2024 this has this the issues with IP cameras comes for a lot of places but we saw iot have done a deep research so and tellow down some of the main security issues of IP camera one of them comes from user or password based logins and user or password based login could be having a portion of your website that allows the anybody who is person who needs access to put in his username and password issues come from not changing your password not having a good password policy not using uh multifactor authentication another issue that's affecting the IP cameras is data Integrity of cloud storage or local

storage coming from unencrypted data transmission and this has to do more about end to end encryption the next one is data Bridges we we are noticing a lot of data Bridges and for IP cameras it comes a lot and once data Bridge have occurs maybe for a man in the middle attack or any other network attack it leads to ownership compromise which also goes to hijacking it could hijack the camera feed and manipulate it it drop and that's a major security issue so one of the ways iot was able to solve the challenge of uh user based logins was to introduced no password authentication no password authentication was really strange to me when I was looking at this stuff it says

the the user or anybody who is requesting access was going to authenticate using cryptographic keys and we have pair of keys public and private so the user has his private keys and the public Keys is going to be registered on The blockchain Ledger so instead of going and putting in your username and password you just come with your private key your private key can be stored anywhere the private key can be stored in your mobile app can be stored in your wallet or Hardware wherever and that is to you and with your private key you cross a random security challenge the smart contracts on the blockchain will authenticate if you are a legitimate user by corresponding your private key

to the public key that is already registered on the blockchain and if you are an authorized user you have access but if you are not your access is going to be um denied so this way we are doing away with the use of um user based logins which could lead to uh credential stuffing and various related attacks the next one is to secure data transmission uh blockchain is decentralized like she's mentioned it has many security features and decentralization is one of them mostly the IP cameras store their encryption keys on Cloud Server and this means when an attack happens the attacker just breaks into the database picks up the incretion key and manipulates whatever data is being

transmitted so if we move from a centralized uh security model to this calization we can store this encryption keys on The blockchain Ledger and this is a second way to increase uh security because the only person who has access to this Ledger is the one with a private key so this is the second way we can uh enhance security further is to move to a blockchain based ownership um system when we buy our IP cameras the ownership data is mostly stored in the cloud we can keep our ownership data who has the camera the date everything and if an attacker gets access to this thing he can just change it and has and hijack it

hijack the feed hijack the camera stream whatever but if we can move like I've been mentioning from a centralized model to a decentralized model by storing this ownership data registering it on the blockchain blockchains immutable nature or temper proof Ledger would not allow an attacker to easily modify this increasing data integrity and also securing the IP home camera or related iot Dev deves so one way to design a more secured uh IP home camera would be to replace the weak password login system or the user based login system with no password tication using cryptographic keys to just pay and authenticate second way would be to adopt uh blockchain based encryption key management system instead of regularly or traditionally

storing your encryption keys in the cloud or other centralized storages you can move it and put your incription keys registered on The blockchain Ledger to enhance security finally device authentic uh ownership should be registered on the blockchain so that's the research we saw from iot official going to talk about some recent developments and all these recent developments I'm going to SP speak about uh with respect to the previously mention challenges so you can still fully trust in integrating blockchain your assistance because day and night more and more researchers are building up new ways to secure your current systems so when I spoke about regulatory the regul landscape as a problem with respect to it being you know new um I

would like to bring to your notice that the it regularly annually provides Frameworks integrating zero trust Access Control in Block chain integrated it systems with this new Frameworks that they keep uploading and keep updating they provide recommendations to you and you as a business owner you as a consumer can choose which ones can help to improve your current business decisions um then the next recent development is one that deals with latency so Rael tang and some other researchers who were interested in improving latency of blockchain integrated I systems they developed a new and introduced a new ing system for um pairing a node to other network noes and the name of the paper is called

strategic latency reduction in blockchain peer-to-peer networks so in their research they introduced what is called the perparing system so instead of nwk a network node on the blockchain pairing with you know any random um number or any random type of node on the network or endpoint their per pairing system helps to um Strate strategically decide which no to connect with a knowde that is that has enough computational power to actually complete the cryptographic operations one that can easily process these operations not only fully but also in time so this this the new system is one that can be adopted in any iot system and this would help you to um help you to keep track of like

real time data since it helps to reduce latency the next challenge that my the next development is going to tackle is resource constraints so um Mam and some other researchers helped to they dived into different Industries and different I devices that make use of different um it industries that make use of the blockchain so if you feel maybe worried that um your system is too you know it's not really Advanced enough you can read that paper and then um get more motivator to integrate this um new technology in your system then the last present velopment I would like to talk about is one by W I'm sorry e and they address the consensus mechanism problem

so the made use of what is known as the multi-agent reinforcement learning or Mar and this particular machine learning um technique helps to reduce or to improve consensus mechanisms and it does so by improving the fairness of who is who has the final say in the group of network notes to update a transaction or remove a transaction which is like an entry in a in a data table then I'm going to talk about some future outlooks like what you and all of us cyber security enthusiasts can expect to see in the nearest Future with regards to the integration of blockchain Technologies in I devices so what the first one I'm going to talk about is

Hybrid blockchain models so if you're planning on maybe creating a startup like Shopify whereby you want your customers to have lot of control in how they maybe manage their resources or creating e stores or anything you can start your information on the blockchain network so that they can have more control over their n over their information this helps to build customer trust and more people may be drawn to adopting your um your resource or your system just because they trust that they also have as much control as you and what you're able to still do this like still give your customers access to their information you could also have a private model where you can store your

confidential information you can store your company blueprints you could store your company's um private accountant information on the private and of the blockchain so no one except people that are previously authorized in your company can make use of that and you could do that by using like a proof of authority consensus mechanism um the next future outlook I would like to talk about is lightweight blockchain protocols there are so many um current lightweight protocols now and more people keep coming up with new ways to um create new protocols for it devices in previous science people just focus on creating cryptographic operations for um devices or technologies that have high Computing Powers High Computing or that were very

very like um resource intensive but nowadays because of the adoption of it devices because more people are implementing it in their various sectors and various Industries more people have dived into researching into developing new specialized cryptog cryptographic algorithms that can be easily run on the IAT system such as the Simon algorithm the spec algorithm the present algorithm and so many more and day by day year by year you can easily read up on how this things were done so that you can have more trust in integrating this um Technologies in your current systems the last feature Outlook I would like to talk about is decentralized identity management and I'll would explain this by talking about how you know the

blockchain and decentralization helps you to allow your devices who have which definitely have accounts to have verifiable unique um cryptographically verifiable identities are not controlled by Central Authority so instead of having to maybe lean on maybe um aure like using Microsoft entro to like verify Authority verify authority to access a particular type of information in your system you can make sure that every single account has a cryptographically verifiable um verifiable identity whereby their nodes or their endpoints their devices can create um Can effectively compute a cryptographic algorithm before accessing information and this helps build trust so we're going to conclude now okay okay in conclusion uh we say securing iot devices with blockchain technology offers a robust solution and

leads to solving some of the security challenges that we've mentioned also uh the challenges that arises from internet of things and complexities in data transmission using make by making use of blockchain techniques in your current systems you can enhance data Integrity for yourself build trust with your customers build your own Reliance on the internet and like internet structures instead of a normal standard local storage database you can improve authentication and you can protect your yourself your your businesses and your users privacy okay this integration not only mitigates uh the risk but it also paves the way for a more trustworthy iot system so these are some of the resources that we made use of while

researching and preparing this presentation and feel free to access them or regularly check on many publishing websites such as i e a I um Springer link and so on and thank you for having

us okay you can ask your questions canly ask your questions

I was so from your pres mostly do you guys know anybody that actually implemented this and is using it in um in a corporate setting this this the research was mostly from research and iot test especially my when I talked about the use cases on how to move from a user based login to uh no passord Authentication iot official is a big company and they did a research about that but I can't tell for sure if they're using

it and so um like how big a problem is that because it seems like it's from what we're describing here there's a lot that has to go on um in the process of trying to authentic date and then getting to use the product and stuff like that so when we talk about latency like how much latency are we talking about um for example you may be a doctor that has to like quickly track or quickly access your patient um Health Care information you may want to know maybe if his blood pressure is dropping so in scenarios like that where you really need real time information yes it could be a problem but when it refers to

authentication it it's not something that should be seen as a really big problem when you want integrates blockchain

Technologies no no big no big brands have implemented it yet possibly because of the there's no like Global like restriction or Global recommendation how on how to implement it but as time goes on as time goes on more people are going to keep implenting it as there's lot of interest in using blockchain now amongst normal consumers so because of how like we talk about how the market size of the I is expanding because more people are adopting it big companies would definitely I feel like they're going to definitely adopt this in nearest Future yeah also we solicit that they start using it one of the security challenges we mentioned here was regulatory con complaint um constraint and this is

because most companies are not yet using these things there are not much policies that are supporting it and with the growing need of with the growing or the expansion of iot devices we need to look into these things is there any push any organization pushing for this adoption of this stand i e like I they annually like regularly upload recommendations to integrate blockchain systems and they not just do this by motivating you by giving you reasons to do so they actually do have recommendations and steps so these steps are seen as like a push for more people to adopt it they're making it easy for you to understand how like different ways be integrating smart

contract for example in your system thank

you yeah okay there's someone over

there thank you well first of all thanks for the presentation uh great information so I reckon this is your research project and and primarily you focused on blockchain and more on the software side of the iot devices securing that what about on the hardware itself have you done some research how to secure the device right at the hardware level itself uh preventing uh the Cyber Security fraud you know programming right at the firm whe level more focused on the hardware so to encounter latency on the blockchain side of the things because that's again that's all internet traffic you know so right at the onset on the hardware anything on that yes whenever um a researcher or a developer tries to

develop a new algorithm they are not allowed to publish it without proving that it can run on it devices so for cryptographic algorithms such as Simon spec or um s c WM or S es CH whenever they uploading this algorithms and it's approved by i e they actually test on Hardware devices they check maybe how much time it takes to process information and they have like a minimum time frame that it must complete an operation so yeah it's any algorithm that is approved by IA has been tested has had its performance performance analyzed with actual it devices

questions do we have any other

questions okay in the absence of uh any other questions we want to say very big thank you for being here and listening to us thank you very

much e